topic Re: packet_captures.sh - Packet Captures for Dummies in API / CLI Discussion

packet_captures.sh - Packet Captures for Dummies

KernelGordon — Wed, 08 Jan 2020 06:07:41 GMT

What is packet_captures.sh?

packet_capture.sh is an open-source community tool which simplifies the way to collect:

1) tcpdump captures

2) FW Monitor captures

3) Kernel Debugs *ALWAYS during a maintenance window*

More functionality coming when I stop being lazy!

The main benefits are:

All captures and/or debugs are taken at the same time.
All captures and/or debugs are zipped into a single .tgz to be pulled from the device
No need to remember tcpdump or FW Monitor syntax

packet_captures.sh source code - HERE.

How to use it?

Put Script on GW
Run the following commands from expert mode:
dos2unix packet_captures.sh
chmod +x packet_captures.sh
./packet_captures.sh

Usage ./packet_captures.sh [-s <source IP>] [-d <destination IP>] [-p <port>] [-t] [-f] [-k]

Flag	Description
-s	Used to specify source IP for filtering tcpdump and FW Monitor captures. Multiple source IPs can be entered, each IP must be entered in [-s <source IP>] format
-d	Used to specify destination IP for filtering tcpdump and FW Monitor captures. Multiple destination IPs can be entered, each IP must be entered in [-d <destination IP>] format
-p	Used to specify port for filtering tcpdump and FW Monitor captures. Multiple ports can be entered, each port must be entered in [-p <port>] format
-t	Tells script to take a tcpdump on all relevent interfaces based on IPs provided with -s and -d flags. Tcpdump will be filtered according to source IP(s), dedstination IP(s), and port(s) provided to script.
-f	Tells script to take a FW Monitor capture. SecureXL will be disabled for captures on versions R80.10 and below. FW Monitor will be filtered according to source IP(s), dedstination IP(s), and port(s) provided to script.
-k	Tells script to take Kernel Debugs. Entering only -k flag will default to debugging the fw module with the drop flag (fw ctl debug -m fw + drop). You can select the module and flags that you want to debug by running the -k flag followed by the module and flags in double-quotes like so: -k "-m fw + drop".

*DISCLAIMER - This open source tool is provided “As Is”. No representations or warranties are provided with the use of this tool.

Re: packet_captures.sh - Packet Captures for Dummies

Danny — Wed, 08 Jan 2020 10:54:28 GMT

Your code says:

# FW Monitor syntax changed from R80.20 take 76 onwards
#TODO: Create different FW Monitor filters for new and old syntax.

Well, R80.30 doesn't feature the new simple capture filter (yet), so you need to check whether the system actually features the new -F syntax independently from the version. Also while -F may be available the end user should still be allowed to use the traditional -e command if he/she wants to as this is still supported and may just require disabling of ClusterXL while running fw monitor.

I like your efforts in this project and I'm also working on a similar one called: FW Monitor SuperTool

Re: packet_captures.sh - Packet Captures for Dummies

KernelGordon — Thu, 09 Jan 2020 22:48:40 GMT

Thanks for the input on the script. I added a check for the new FW Monitor syntax with the '-F' flag as well as an error message to alert users when they have run the script will enough IPs and ports to generate over 5 filters.

The new '-F' flag is very limiting compared to the old '-e' syntax as it can only handle 5 filters and it forces them to all be logical OR...

I'm really interested in your SuperTool and some of the other scripts you've written. I've learned a little from just going over them. 😁

Re: packet_captures.sh - Packet Captures for Dummies

Daniel_ — Fri, 11 Dec 2020 07:08:58 GMT

Maybe you can modify your script to check if cppcap is available and use this instead of tcpdump?

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk141412